Skip to main content
SpringerLink
Log in

Formal Methods Analysis of the Secure Remote Password Protocol

  • Chapter
  • First Online:
Logic, Language, and Security

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12300))

Abstract

We analyze the Secure Remote Password (SRP) protocol for structural weaknesses using the Cryptographic Protocol Shapes Analyzer (CPSA) in the first formal analysis of SRP (specifically, Version 3).

SRP is a widely deployed Password Authenticated Key Exchange (PAKE) protocol used in 1Password, iCloud Keychain, and other products. As with many PAKE protocols, two participants use knowledge of a pre-shared password to authenticate each other and establish a session key. SRP aims to resist dictionary attacks, not store plaintext-equivalent passwords on the server, avoid patent infringement, and avoid export controls by not using encryption. Formal analysis of SRP is challenging in part because existing tools provide no simple way to reason about its use of the mathematical expression \(v + g^b \mod q\).

Modeling \(v + g^b\) as encryption, we complete an exhaustive study of all possible execution sequences of SRP. Ignoring possible algebraic attacks, this analysis detects no major structural weakness, and in particular no leakage of any secrets. We do uncover one notable weakness of SRP, which follows from its design constraints. It is possible for a malicious server to fake an authentication session with a client, without the client’s participation. This action might facilitate an escalation of privilege attack, if the client has higher privileges than does the server. We conceived of this attack before we used CPSA and confirmed it by generating corresponding execution shapes using CPSA.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    www.docker.com.

  2. 2.

    https://www.easycrypt.info/trac/#no1.

  3. 3.

    Wu incorrectly states the direction of his reduction, but his reduction actually proceeds in the correct direction.

References

  1. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 5–17. ACM, New York (2015). https://doi.org/10.1145/2810103.2813707

  2. Arapinis, M., et al.: New privacy issues in mobile telephony: fix and verification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 205–216. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2382196.2382221

  3. Bartzia, E.-I., Strub, P.-Y.: A formal library for elliptic curves in the Coq proof assistant. In: Klein, G., Gamboa, R. (eds.) ITP 2014. LNCS, vol. 8558, pp. 77–92. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08970-6_6

    Chapter  Google Scholar 

  4. Basin, D., Cremers, C.: Modeling and analyzing security in the presence of compromising adversaries. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 340–356. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_21

    Chapter  Google Scholar 

  5. Basin, D., Cremers, C.: Know your enemy: compromising adversaries in protocol analysis. ACM Trans. Inf. Syst. Secur. 17(2) (2014). https://doi.org/10.1145/2658996

  6. Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84, May 1992

    Google Scholar 

  7. Blake-Wilson, S., Menezes, A.: Authenticated Diffie-Hellman key agreement protocols. In: Proceedings of the Selected Areas in Cryptography, SAC 1998, pp. 339–361. Springer, Heidelberg (1999). http://dl.acm.org/citation.cfm?id=646554.694440

  8. Blanchet, B., Smyth, B., Cheval, V.: Proverif 1.90: automatic cryptographic protocol verifier, user manual and tutorial (2015). http://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf

  9. Böhl, F., Unruh, D.: Symbolic universal composability. J. Comput. Secur. 24(1), 1–38 (2016)

    Article  Google Scholar 

  10. Boneh, D., Shoup, V.: A graduate course in applied cryptography version 0.5, January 2020. https://crypto.stanford.edu/~dabo/cryptobook/BonehShoup_0_5.pdf

  11. Browning, S.: Cryptol, a DSL for cryptographic algorithms. In: ACM SIGPLAN Commercial Users of Functional Programming, p. 1. ACM (2010)

    Google Scholar 

  12. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, FOCS 2001, p. 136. IEEE Computer Society, USA (2001)

    Google Scholar 

  13. Canetti, R., Stoughton, A., Varia, M.: EasyUC: using EasyCrypt to mechanize proofs of universally composable security. In: 2019 IEEE 32nd Computer Security Foundations Symposium (CSF), pp. 167–183 (2019)

    Google Scholar 

  14. Church, A.: An unsolvable problem of elementary number theory. Am. J. Math. 58(2), 345–363 (1936)

    Article  MathSciNet  Google Scholar 

  15. Corin, R., Doumen, J., Etalle, S.: Analysing password protocol security against off-line dictionary attacks. Electron. Notes Theoret. Comput. Sci. 121, 47–63 (2005)

    Article  Google Scholar 

  16. Delaune, S., Kremer, S., Pereira, O.: Simulation based security in the applied pi calculus. In: Kannan, R., Kumar, K.N. (eds.) IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science. Leibniz International Proceedings in Informatics (LIPIcs), vol. 4, pp. 169–180. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany (2009). http://drops.dagstuhl.de/opus/volltexte/2009/2316

  17. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (2006). https://doi.org/10.1023/A:1008302122286

  18. Ding, J., Alsayigh, S., Lancrenon, J., RV, S., Snook, M.: Provably secure password authenticated key exchange based on RLWE for the post-quantum world. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 183–204. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_11

    Chapter  Google Scholar 

  19. Doghmi, S., Guttman, J., Thayer, F.J.: Skeletons and the shapes of bundles. In: Proceedings of the 7th International Workshop on Issues in the Theory of Security, pp. 24–25 (2006)

    Google Scholar 

  20. Doghmi, S.F., Guttman, J.D., Thayer, F.J.: Searching for shapes in cryptographic protocols. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 523–537. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71209-1_41

    Chapter  MATH  Google Scholar 

  21. Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer Science, SFCS 1981, pp. 350–357. IEEE Computer Society, Washington, DC (1981). https://doi.org/10.1109/SFCS.1981.32

  22. Dreier, J., Duménil, C., Kremer, S., Sasse, R.: Beyond subterm-convergent equational theories in automated verification of stateful protocols. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 117–140. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_6. https://hal.inria.fr/hal-01430490/document

    Chapter  MATH  Google Scholar 

  23. Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theoret. Comput. Sci. 367(1–2), 162–202 (2006)

    Article  MathSciNet  Google Scholar 

  24. Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7_1

    Chapter  MATH  Google Scholar 

  25. Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA, Version 3.0, April 2017

    Google Scholar 

  26. Fabrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: why is a security protocol correct? In: Proceedings of the 1998 IEEE Symposium on Security and Privacy (Cat. No. 98CB36186), pp. 160–171, May 1998. https://doi.org/10.1109/SECPRI.1998.674832

  27. Green, M.: Let’s talk about PAKE, October 2018. https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/

  28. Green, M.: Should you use SRP? October 2018. https://blog.cryptographyengineering.com/should-you-use-srp/

  29. Guttman, J.D., Liskov, M.D., Ramsdell, J.D., Rowe, P.D.: The Cryptographic Protocol Shapes Analyzer (CPSA). https://github.com/mitre/cpsa

  30. Haase, B., Labrique, B.: AuCPace: Efficient verifier-based PAKE protocol tailored for the IIoT. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019, 1–48 (2018)

    Google Scholar 

  31. Hao, F., Shahandashti, S.F.: The SPEKE protocol revisited. In: Chen, L., Mitchell, C. (eds.) SSR 2014. LNCS, vol. 8893, pp. 26–38. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-14054-4_2

    Chapter  Google Scholar 

  32. Jablon, D.P.: Strong password-only authenticated key exchange. ACM Comput. Commun. Rev. 26(5), 5–26 (1996)

    Article  Google Scholar 

  33. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: An asymmetric PAKE protocol secure against pre-computation attacks. Cryptology ePrint Archive, Report 2018/163 (2018). https://eprint.iacr.org/

  34. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15

    Chapter  Google Scholar 

  35. Lanus, E., Zieglar, E.: Analysis of a forced-latency defense against man-in-the-middle attacks. J. Inf. Warfare 16(2), 66–78 (2017). https://www.jstor.org/stable/26502758

  36. Liskov, M.D., Ramsdell, J.D., Guttman, J.D., Rowe, P.D.: The Cryptographic Protocol Shapes Analyzer: A Manual. The MITRE Corporation (2016)

    Google Scholar 

  37. Liskov, M.D., Rowe, P.D., Thayer, F.J.: Completeness of CPSA. Technical report MTR110479, The MITRE Corporation (2011)

    Google Scholar 

  38. Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995). http://www.sciencedirect.com/science/article/pii/0020019095001442

  39. Maurer, U.M., Wolf, S.: The Diffie-Hellman protocol. Des. Codes Cryptography 19(2–3), 147–171 (2000). https://doi.org/10.1023/A:1008302122286

  40. Meadows, C.: NRL protocol analyzer. J. Comput. Secur. 1(1) (1992)

    Google Scholar 

  41. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). https://doi.org/10.1145/359657.359659

  42. Paulson, L.C.: Relations between secrets: two formal analyses of the Yahalom protocol. J. Comput. Secur. 9(3), 197–216 (2001)

    Article  Google Scholar 

  43. Ramsdell, J.D., Guttman, J.D., Millen, J.K., O’Hanlon, B.: An analysis of the CAVES attestation protocol using CPSA. arXiv preprint arXiv:1207.0418 (2012)

  44. Ryan, P.Y.A., Schneider, S.A.: An attack on a recursive authentication protocol. A cautionary tale. Inf. Process. Lett. 65(1), 7–10 (1998). https://doi.org/10.1016/S0020-0190(97)00180-4

  45. Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: 2012 IEEE 25th Computer Security Foundations Symposium, pp. 78–94, June 2012

    Google Scholar 

  46. Sherman, A.T., et al.: PAL GitHub repository, June 2020. https://github.com/egolaszewski/UMBC-Protocol-Analysis-Lab

  47. Steiner, J.G., Neuman, B.C., Schiller, J.I.: Kerberos: an authentication service for open network systems. In: Proceedings Winter USENIX Conference, pp. 191–202 (1988)

    Google Scholar 

  48. Tang, Q., Mitchell, C.J.: On the security of some password-based key agreement schemes. In: Hao, Y., et al. (eds.) CIS 2005. LNCS (LNAI), vol. 3802, pp. 149–154. Springer, Heidelberg (2005). https://doi.org/10.1007/11596981_22

    Chapter  Google Scholar 

  49. Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: RFC 5054, Using the secure remote password (SRP) protocol for TLS authentication. Technical report, RFC Editor, November 2007. https://doi.org/10.17487/rfc5054

  50. Wu, T.: RFC 2944, Telnet Authentication: SRP. Technical report, RFC Editor, September 2000. https://doi.org/10.17487/rfc2944

  51. Wu, T.: The secure remote password protocol. In: Proceedings of the Internet Society on Network and Distributed System Security (1998)

    Google Scholar 

  52. Wu, T.: The SRP Authentication and Key Exchange System, RFC 2945, September 2000

    Google Scholar 

  53. Wu, T.: SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, October 2002

    Google Scholar 

  54. Zhang, M.: Analysis of the SPEKE password-authenticated key exchange protocol. IEEE Commun. Lett. 8(1), 63–65 (2004). https://doi.org/10.1109/LCOMM.2003.822506

    Article  Google Scholar 

Download references

Acknowledgments

We appreciate the helpful comments from Akshita Gorti and the reviewers. Thanks also to John Ramsdell (MITRE) and other participants at the Protocol eXchange for fruitful interactions. This research was supported in part by the U.S. Department of Defense under CySP Capacity grants H98230-17-1-0387, H98230-18-1-0321, and H98230-19-1-0308. Sherman, Golaszewski, Wnuk-Fink, Bonyadi, and the UMBC Cyber Defense Lab were supported also in part by the National Science Foundation under SFS grants DGE-1241576, 1753681, and 1819521.

To appear in Festschrift in Honour of Professor Andre Scedrov, Vivek Nigam, Editor, LNCS, Springer (June 11, 2020).

Author information

Authors and Affiliations

  1. Cyber Defense Lab, University of Maryland, Baltimore County (UMBC), Baltimore, MD, 21250, USA

    Alan T. Sherman, Richard Chang, Enis Golaszewski, Ryan Wnuk-Fink, Cyrus J. Bonyadi & Mario Yaksetig

  2. Virginia Tech, Arlington, VA, 22309, USA

    Erin Lanus

  3. The MITRE Corporation, Burlington, MA, 01720, USA

    Moses Liskov

  4. National Security Agency, Fort George G. Meade, MD, 20755, USA

    Edward Zieglar

  5. Two Six Labs, Arlington, VA, 22203, USA

    Ian Blumenfeld

Authors
  1. Alan T. Sherman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Erin Lanus
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Moses Liskov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Edward Zieglar
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Richard Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Enis Golaszewski
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Ryan Wnuk-Fink
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Cyrus J. Bonyadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Mario Yaksetig
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Ian Blumenfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alan T. Sherman .

Editor information

Editors and Affiliations

  1. fortiss GmbH, Munich, Germany

    Vivek Nigam

  2. University of Rijeka, Rijeka, Croatia

    Tajana Ban Kirigin

  3. SRI International, Menlo Park, CA, USA

    Carolyn Talcott

  4. Worcester Polytechnic Institute, Worcester, MA, USA

    Joshua Guttman

  5. Steklov Mathematical Institute of the Russian Academy of Sciences, Moscow, Russia

    Stepan Kuznetsov

  6. University of Pennsylvania, Philadelphia, PA, USA

    Boon Thau Loo

  7. Keio University, Tokyo, Japan

    Mitsuhiro Okada

A CPSA Sourcecode

A CPSA Sourcecode

We list critical snippets of CPSA sourcecode that we used to model SRP-3 and carry out our analysis. A complete electronic version is available from our public GitHub repository  [46].

Fig. 8.
figure 8

Modeling of SRP-3 in CPSA. We define four roles: client-init, server-init, client, and server. The client-init and server-init roles are service roles that initialize common values between the client and server roles.

Full size image
Fig. 9.
figure 9

Rule added to SRP-3 to prevent CPSA from instantiating an unlimited number of server-init roles, which would prevent CPSA from terminating.

Full size image
Fig. 10.
figure 10

Client skeleton of SRP-3, which provides CPSA a starting point for analyzing SRP-3 from the client’s perspective.

Full size image
Fig. 11.
figure 11

Server skeleton of SRP-3, which provides CPSA a starting point for analyzing SRP-3 from the server’s perspective.

Full size image
Fig. 12.
figure 12

Client skeleton of SRP-3 with listener for the value x, which provides CPSA a starting point for analyzing SRP-3 from the client’s perspective. The listener role helps CPSA determine whether an execution of SRP-3 can leak the value x.

Full size image
Fig. 13.
figure 13

Server skeleton of SRP-3 with listener for the value v, which provides CPSA a starting point for analyzing SRP-3 from the server’s perspective. The listener role helps CPSA determine whether an execution of SRP-3 can leak the value v.

Full size image
Fig. 14.
figure 14

Modeling a malicious server in CPSA. We define the malserver role to behave like a client while having access to the legitimate server’s initialized variables. The associated skeleton provides CPSA a starting point for analyzing the malicious server attack from the perspective of the malicious server.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Sherman, A.T. et al. (2020). Formal Methods Analysis of the Secure Remote Password Protocol. In: Nigam, V., et al. Logic, Language, and Security. Lecture Notes in Computer Science(), vol 12300. Springer, Cham. https://doi.org/10.1007/978-3-030-62077-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62077-6_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62076-9

  • Online ISBN: 978-3-030-62077-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation